Merge branch 'master' into edwarddowling/max-duration-fix

.github/workflows/doc-tests.yaml

@@ -134,7 +134,7 @@ jobs:
       - name: Run the linter
         uses: errata-ai/vale-action@d89dee975228ae261d22c15adcd03578634d429c # v2.1.1
         with:
-          version: 2.30.0
+          version: 3.9.4
           # Take the comma-separated list of files returned by the "Check for
           # relevant changes" job.
           separator: ","

api/proto/teleport/legacy/types/types.proto

@@ -6711,7 +6711,7 @@ message PluginOktaSyncSettings {
 
   // AppName is the Okta-assigned unique name of the Okta App that Teleport uses
   // as a gateway to interact with Okta for SAML login, SCIM provisioning and user
-  // sync. May be missing for old Okta integration installs.
+  // sync.
   string app_name = 8;
 
   // DisableSyncAppGroups disables syncing of app groups from Okta.
@@ -7180,7 +7180,9 @@ message PluginOktaStatusDetailsSSO {
   // SSO login.
   string app_id = 2;
 
-  // AppName is the human-readable name of the Okta Applicaion used for SSO.
+  // AppName is the Okta-assigned unique name of the Okta App that Teleport uses
+  // as a gateway to interact with Okta for SAML login, SCIM provisioning and user
+  // sync.
   string app_name = 3;
 }
 

api/proto/teleport/okta/v1/okta_service.proto

@@ -150,14 +150,10 @@ message UpdateIntegrationRequest {
   bool enable_app_group_sync = 6;
   // Settings related to access list synchronization.
   AccessListSettings access_list_settings = 7;
-  // Option to reuse an existing connector.
-  string reuse_connector = 8;
-  // SSO metadata URL for integration.
-  string sso_metadata_url = 9;
   // Enable sync from Teleport to Okta. If disabled it will prevent creating Okta assignments which
   // in turn will disable JIT Access Requests. Makes sense only when apps and groups sync is
   // enabled.
-  bool enable_bidirectional_sync = 10;
+  bool enable_bidirectional_sync = 8;
 }
 
 // AccessListSettings contains the settings for access list synchronization.

docs/pages/admin-guides/management/guides/github-integration.mdx

@@ -53,7 +53,7 @@ Go to "OAuth Apps" under "Developer Settings" of your organization's settings.
 Click on "New OAuth App".
 
 Fill in the details. Use the following for "Authentication callback URL":
-```
+```code
 https://<Var name="teleport-proxy-address"/>/v1/webapi/github/
 ```
 
@@ -86,7 +86,7 @@ previous step.
 
 To create the resource with `tctl`, run:
 ```code
-$ tctl create -f github_integration.yaml
+$ tctl create github_integration.yaml
 ```
 
 Once the integration resource is created, export the CA to be used for GitHub:
@@ -117,7 +117,7 @@ spec:
 
 To create the resource with `tctl`, run:
 ```code
-$ tctl create -f git_server.yaml
+$ tctl create git_server.yaml
 ```
 
 The user role must have `github_permissions` configured to allow access to your

docs/pages/enroll-resources/database-access/auto-user-provisioning/mongodb.mdx

@@ -11,6 +11,10 @@ description: Configure automatic user provisioning for MongoDB.
 - A self-hosted MongoDB database enrolled with your Teleport cluster. Follow
   the [Teleport documentation](../enroll-self-hosted-databases/mongodb-self-hosted.mdx) to learn how
   to enroll your database.
+  Your MongoDB database must have Role-Based Access Control (RBAC) enabled by
+  setting
+  [`security.authorization`](https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-security.authorization)
+  to `enabled` in the configuration file.
 - Ability to connect to and create user accounts in the target database.
 
 <Admonition type="note" title="Supported services">

docs/pages/enroll-resources/database-access/auto-user-provisioning/postgres.mdx

@@ -41,6 +41,19 @@ Note that the RDS database must have IAM authentication enabled.
 
 Refer to the [AWS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html) to make sure you are using the `rds_iam` role correctly.
 for more information.
+
+If the admin user needs to grant the `rds_superuser` role to auto-provisioned
+users, the admin user must also be a `rds_superuser`:
+```sql
+GRANT rds_superuser TO "teleport-admin";
+```
+
+For PostgreSQL 16+, you must grant the `ADMIN` option to the admin user for each
+PostgreSQL role that Teleport will assign to your Teleport user. For example, to
+allow the admin user to grant and revoke role `reader`:
+```sql
+GRANT reader TO "teleport-admin" WITH ADMIN OPTION;
+```
 </TabItem>
 <TabItem label="Self-hosted PostgreSQL">
 The self-hosted PostgreSQL admin user must have X.509 authentication configured.
@@ -49,6 +62,13 @@ The self-hosted PostgreSQL admin user must have X.509 authentication configured.
 CREATE USER "teleport-admin" login createrole;
 ```
 
+For PostgreSQL 16+, you must grant the `ADMIN` option to the admin user for each
+PostgreSQL role that Teleport will assign to your Teleport user. For example, to
+allow the admin user to grant and revoke role `reader`:
+```sql
+GRANT reader TO "teleport-admin" WITH ADMIN OPTION;
+```
+
 Note that the database must be configured to accept client certificate auth
 for the admin user by having the following entries in `pg_hba.conf`:
 
@@ -63,7 +83,13 @@ to ensure that your configuration is correct.
 </Tabs>
 
 <Admonition type="note" title="Database Access Controls for `teleport-admin`">
-When [Database Access Controls](../rbac.mdx) feature is in use, the `teleport-admin` should have permissions to relevant database objects. For example:
+When [Database Access Controls](../rbac.mdx) feature is in use, the
+`teleport-admin` should have permissions to relevant database objects. You can
+grant `teleport-admin` the `SUPERUSER` option for self-hosted databases, or the
+`rds_superuser` role for RDS databases.
+
+For improved security through the principle of least privilege, you can also
+assign permissions directly to specific database objects. For example:
 
 ```sql
 GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA schema1, schema2, schema3 TO "teleport-admin";
@@ -75,10 +101,6 @@ the database, which will be created automatically if it doesn't exist.
 
 (!docs/pages/includes/database-access/auto-user-provisioning/db-definition-default-dbname.mdx protocol="postgres" uri="localhost:5432" default="the same database that the user is accessing" !)
 
-<Admonition type="warning" title="Procedure Privileges in PostgreSQL 15+">
-(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!)
-</Admonition>
-
 ## Step 2/3. Configure a Teleport role
 
 Database permissions are associated with a Teleport role, which can either allocate predefined database roles (configured in each database) or define specific database object permissions directly. Teleport grants these permissions for the duration of the connection.
@@ -169,10 +191,6 @@ Users created within the database will:
 
 ## Troubleshooting
 
-### Permission denied for schema public error
-
-(!docs/pages/includes/database-access/auto-user-provisioning/postgres15-grant-create.mdx!)
-
 ### User does not have CONNECT privilege error
 
 You may encounter the following error when the admin user or the roles assigned

docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx

@@ -218,6 +218,45 @@ If multiple entries are specified in the `host_user_uid` or `host_user_gid` only
 
 </Admonition>
 
+For Teleport users that don't have a `host_user_uid` trait, starting from Teleport 17.3, it's possible to configure the cluster to assign the same UID for any given username for automatically created host users across all Teleport SSH instances.
+
+Edit your cluster authentication preference using the following command:
+
+```code
+$ tctl edit cluster_auth_preference
+```
+
+In your editor, ensure that your `cluster_auth_preference` includes a `stable_unix_user_config` field similar to the following:
+
+```yaml
+kind: cluster_auth_preference
+version: v2
+metadata:
+  name: cluster-auth-preference
+spec:
+  # ...
+  stable_unix_user_config:
+    enabled: true
+    first_uid: 90000
+    last_uid: 95000
+```
+
+The range of UIDs between `first_uid` and `last_uid` (inclusive) will be used by Teleport to assign UIDs for new users, and you should make sure it's not a range of UIDs already in use by other services or workloads across your fleet of servers. While UID allocations in Linux can vary, we recommend sticking to one of the available ranges listed in the [systemd documentation for "Users, Groups, UIDs and GIDs on systemd Systems"](https://github.com/systemd/systemd/blob/main/docs/UIDS-GIDS.md).
+
+Once enabled, all Teleport SSH instances (of version 17.3 and newer) will use the UID provided by the control plane when automatically creating a new host user, if no other UID is specified by the user trait.
+
+<Admonition type="note">
+
+Teleport will only use the UID defined by the control plane if the `create_host_user_mode` is `keep` (and not `insecure-drop`), and only for automatically created host users that were created after the feature was enabled. The UID will not be applied to users that already exist, and it will not take effect for static host users.
+
+</Admonition>
+
+You can inspect the list of assigned UIDs with the following command:
+
+```code
+$ tctl stable-unix-users ls
+```
+
 ### Step 3/4. Configure sudoers on your Linux servers
 
 Teleport host user creation leverages the `sudoers.d` directory for new users. 

docs/pages/includes/config-reference/auth-service.yaml

@@ -266,6 +266,16 @@ auth_service:
         # "14h30m", "1h" etc.
         default_session_ttl: 12h
 
+        stable_unix_user_config:
+            # If set to true, SSH instances will use the same UID for each given
+            # username when automatically creating users. Defaults to false.
+            enabled: false
+
+            # The range of UIDs (including both ends) used for automatic UID
+            # assignment. Ignored if enabled is set to false.
+            #first_uid: 90000
+            #last_uid: 95000
+
     # IP and the port to bind to. Other Teleport Nodes will be connecting to
     # this port (AKA "Auth API" or "Cluster API") to validate client
     # certificates

docs/pages/reference/cli/tctl.mdx

@@ -1549,6 +1549,36 @@ $ tctl get saml/your-connector-name --with-secrets | tctl sso test
   Make sure to include `--with-secrets` flag, or the exported auth connector will not be testable.
 </Admonition>
 
+## tctl stable-unix-users ls
+
+List the stored usernames and UIDs for automatically created users:
+
+```code
+$ tctl stable-unix-users ls
+```
+
+### Arguments
+
+This command accepts no arguments.
+
+### Flags
+
+| Name | Default Value(s) | Allowed Value(s) | Description |
+| - | - | - | - |
+| `--format` | `text` | `json` or `text` | Output format |
+
+### Examples
+
+```code
+$ tctl stable-unix-users ls
+Username UID
+-------- -----
+alice    90000
+bob      90002
+carol    90003
+dan      90001
+```
+
 ## tctl status
 
 Report cluster and Certificate Authority status:

docs/pages/reference/resources.mdx

@@ -308,6 +308,15 @@ spec:
   # Possible values: "local", "oidc", "saml" and "github"
   type: local
 
+  stable_unix_user_config:
+    # If set to true, SSH instances will use the same UID for each given
+    # username when automatically creating users.
+    enabled: false
+
+    # The range of UIDs (including both ends) used for automatic UID assignment.
+    first_uid: 90000
+    last_uid: 95000
+
 version: v2
 ```
 

examples/teleport-usage/go.mod

@@ -3,11 +3,27 @@ module usage-script
 go 1.22
 
 require (
-	github.com/aws/aws-sdk-go v1.47.4
+	github.com/aws/aws-sdk-go-v2 v1.35.0
+	github.com/aws/aws-sdk-go-v2/config v1.29.3
+	github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.17.0
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.39.7
 	github.com/stretchr/testify v1.8.3
 )
 
 require (
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.56 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.26 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.24.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.11 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect

examples/teleport-usage/go.sum

@@ -1,5 +1,37 @@
-github.com/aws/aws-sdk-go v1.47.4 h1:IyhNbmPt+5ldi5HNzv7ZnXiqSglDMaJiZlzj4Yq3qnk=
-github.com/aws/aws-sdk-go v1.47.4/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go-v2 v1.35.0 h1:jTPxEJyzjSuuz0wB+302hr8Eu9KUI+Zv8zlujMGJpVI=
+github.com/aws/aws-sdk-go-v2 v1.35.0/go.mod h1:JgstGg0JjWU1KpVJjD5H0y0yyAIpSdKEq556EI6yOOM=
+github.com/aws/aws-sdk-go-v2/config v1.29.3 h1:a5Ucjxe6iV+LHEBmYA9w40rT5aGxWybx/4l/O/fvJlE=
+github.com/aws/aws-sdk-go-v2/config v1.29.3/go.mod h1:pt9z1x12zDiDb4iFLrxoeAKLVCU/Gp9DL/5BnwlY77o=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.56 h1:JKMBreKudV+ozx6rZJLvEtiexv48aEdhdC7mXUw9MLs=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.56/go.mod h1:S3xRjIHD8HHFgMTz4L56q/7IldfNtGL9JjH/vP3U6DA=
+github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.17.0 h1:OljitD0YIY2qkKpHChC+CMjKywEsqDLhUlHOI2AseXQ=
+github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.17.0/go.mod h1:bcffXfieyW3VfH02hxx6MBuCU9UOBRguc4iS7mV7V9E=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.26 h1:XMBqBEuZLf8yxtH+mU/uUDyQbN4iD/xv9h6he2+lzhw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.26/go.mod h1:d0+wQ/3CYGPuHEfBTPpQdfUX7gjk0/Lxs5Q6KzdEGY8=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.30 h1:+7AzSGNhHoY53di13lvztf9Dyd/9ofzoYGBllkWp3a0=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.30/go.mod h1:Jxd/FrCny99yURiQiMywgXvBhd7tmgdv6KdlUTNzMSo=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.30 h1:Ex06eY6I5rO7IX0HalGfa5nGjpBoOsS1Qm3xfjkuszs=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.30/go.mod h1:AvyEMA9QcX59kFhVizBpIBpEMThUTXssuJe+emBdcGM=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
+github.com/aws/aws-sdk-go-v2/service/dynamodb v1.39.7 h1:JFLdDS6ZGKoZii7O+9IBsuvCnvW2vSbseNBji8OKEo8=
+github.com/aws/aws-sdk-go-v2/service/dynamodb v1.39.7/go.mod h1:8blEsG2cwaS8BK1YiWSEWFwmVav7i7EJk5swid5Vhcw=
+github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.24.17 h1:jPqYzzklr/WkOk5imqvgpm4MkGLoXs6daKsoQSQiSrg=
+github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.24.17/go.mod h1:DRtG2Ux6Ba26Q+bt/ef7gHa10ilrfqobnAAnmBIPnuk=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 h1:D4oz8/CzT9bAEYtVhSBmFj2dNOtaHOtMKc2vHBwYizA=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2/go.mod h1:Za3IHqTQ+yNcRHxu1OFucBh0ACZT4j4VQFF0BqpZcLY=
+github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.11 h1:f36sb0FYLZui8mzV6o8DxkUyvOdZfkemyCPTGDJdWhE=
+github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.11/go.mod h1:MaBbVwqDmlH9ytOOcERyVQ+Z6nvWkEdRy0k44m3MYkE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.11 h1:5JKQ2J3BBW4ovy6A/5Lwx9SpA6IzgH8jB3bquGZ1NUw=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.11/go.mod h1:VShCk7rfCzK/b9U1aSkzLwcOoaDlYna16482QqEavis=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.13 h1:q4pOAKxypbFoUJzOpgo939bF50qb4DgYshiDfcsdN0M=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.13/go.mod h1:G/0PTg7+vQT42ictQGjJhixzTcVZtHFvrN/OeTXrRfQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.12 h1:4sGSGshSSfO1vrcXruPick3ioSf8nhhD6nuB2ni37P4=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.12/go.mod h1:NHpu/pLOelViA4qxkAFH10VLqh+XeLhZfXDaFyMVgSs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.11 h1:RIXOjp7Dp4siCYJRwBHUcBdVgOWflSJGlq4ZhMI5Ta0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.11/go.mod h1:ZR17k9bPKPR8u0IkyA6xVsjr56doNQ4ZB1fs7abYBfE=
+github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
+github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=